You may remember an article I wrote last summer about “hack-in-a-box” tools that allowed novices to buy an off-the-shelf product that allowed them to hack WiFi networks by simply flipping a switch.

One of the products I talked about is called WiFi Pineapple. As I wrote in last year’s post, WiFi Pineapple has only one purpose: to hack into unsecured WiFi communications. They even admit it on their website:

Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder.

Well, guess what?

Darren Kitchen, the guy who created WiFi Pineapple, is back in the news and is aggressively touting his hacking tool.

Kitchen appeared at the SXSW 2012 conference in Austin and gave a talk entitled “Securing Your Information in a Target Rich Environment.” As part of his pitch, he used WiFi Pineapple to intercept the unsecured WiFi communications of conference participants.

In a nutshell, WiFi Pineapple and other products like it are known as “hotspot honeypots.” When WiFi Pineapple is activated, it steals the credentials of legitimate WiFi networks that users have accessed in the past. So when users log into what they think is a real WiFi network, they are actually accessing the fake access point set up by WiFi Pineapple.

At that point, the owner of the WiFi Pineapple could launch a man-in-the-middle attack and steal passwords and other data. Kitchen says he doesn’t do that, of course.

Kitchen says his main objective is to simply illustrate how unsafe unsecured WiFi networks are, and to let consumers know that they need to protect themselves. He says he sells WiFi Pineapple mainly to government and security professionals who do penetration testing on their own networks.

As I said last year, WiFi Pineapple is a toy that has no legitimate use.

It does not even pretend to be anything but a hacking device. Worse, it puts these hacking tools in the hands of adolescent hackers. All someone needs is about $90 and they can become a professional data thief.

While Kitchen maintains that he sells his project mainly to security professionals, they have plenty of other ways to conduct security audits. There are many free products on the Internet that are specifically made for security professionals that do a much better job for legitimate needs of managing WiFi networks.

So who exactly is buying WiFi Pineapple? As Kitchen’s marketing seems to target novice hackers instead of security professionals, one has to wonder.

At the very least, WiFi Pineapple is a good reminder that you should always protect your communications in WiFi hotspots using a virtual private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.

Kent Lawson is the CEO & Chairman of Private Communications Corporation and creator of its flagship software PRIVATE WiFi. He combined his extensive business and technical experience to develop PRIVATE WiFi in 2010. The software is an easy-to-use Virtual Private Network (VPN) that protects your sensitive personal information whenever you’re connected to a public WiFi network. Follow Kent on Twitter: @KentLawson.

53 Responses

While this does rise concerns, i don’t completely agree with all of it. Agreed selling tools to assist in ‘hacking’ for “malicious” purposes is wrong, but that’s not what is being done here, so targeting a person for that is difficult. I say that with the understanding that with the help of YouTube and some Linux software, (even windows software).. its not hard to do the exact same thing that is being done with the WiFi pineapple, and this can be done at no cost. Agreed that packaging a device that can cause more damage then good is not at all productive regarding security awareness.. however that’s exactly whats being done – awareness. Without people making us aware of these security vulnerability’s, we can in fact be harmed by someone who is ‘really’ looking to do harm. Sometimes it takes a little ‘bump’ like this to REALLY kick security improvements into gear.
As far as i can understand, it seems selling this tool is a means to support the Hak5 team and keep what is an informative Web Show, active and alive. Would it be wrong to give out instructions for the creation of this device and others like it? If so, YouTube needs a revamp, because when it comes to ‘hacking newbies’ this is the central hub.
Another factor to consider is that the tool is only as harmful as its user. If a user intends on causing harm, they don’t need a $90 tool to do so.. all they need is a computer, and if they are a novice attacker, all they need is YouTube.
I believe that targeting a person for selling a device like this, is noted, but no different then targeting Walmart for selling Laptops.
Just my 2c.

. Real hackers are about education and the wifi pineapple is a great teaching tool and Darren is a great teacher. I own one and have never nor would I steal credentials , however as a computer pro I need to know about such vulnerabilities so that I may educate my customers.

You don’t need a product for any of this. A free download of Wireshark on your laptop will let you do about 50% of what Pineapple can do. A free download of Kali Linux will let you do the other 50%. There are tutorial articles or videos available pretty much everywhere.

The thing is sometimes you do not need a robust platform to run custom scripting, etc. It is nice to plug, program, and drop something to do the bulk of work, especially during initial phases when we do not necessarily know what we are looking for. It’s all part of mapping the environment.

At least be accurate in your reporting. “When WiFi Pineapple is activated, it steals the credentials of legitimate wifi networks that users have accessed in the past.” That is an incorrect statement, the legitimate wifi network credentials are not stolen, they are impersonated. The Wifi Pineapple simply replies “yes” to all auto-connect probe requests when Karma is active. Otherwise it is just like any other Honey Pot that requires a person to manually connect.

True skimpniff, I didn’t notice that. All it does is fool the PC into believing it is connected to a trusted network. It can’t steal information immediately, the pineapple user has to decide if they want to “steal” credentials and personal data.

Most of the people that use this and other devices are using it to learn and teach. I was able to find my stolen laptop with it which took almost a year. I plan to buy another pineapple as mine is kind of old, maybe I can get them to hack each other :)

I just ordered the “elite” pineapple package. It doesn’t increase my abilities one iota. I could drop a netbook onto a network and run all the same tools for practically the same price (the batteries would also last longer).

As an attorney and tech, I am often tapped to educate fellow lawyers on all manner of security issues. I bring some linux netbooks and do some tricks. The average lawyer is not capable of understanding the specifics of an attack. My goal is always to demonstrate what is possible and why they need to protect themselves. Fear is a large part of that goal. But eyes always glaze over at the sight of a command line interface. They are left with the false impression that the attacks are unprofessional and difficult to execute.

The pineapple elite is a polished device with a professional-looking interface. Literally a black box, it looks scary. The fact that I purchased it openly, as opposed to building my own, adds to the fear and should increase the effectiveness of my demonstrations.

It does offer a legitimate use as a penetration testing tool, just like how lock picks have legitimate benefits for penetration testers. Just because Kitchen developed a tool that has the potential to be used maliciously doesn’t mean it will be. If you want to pimp your VPN to people that actually know what they’re doing when it comes to digital security you’re going to want to write less biased articles.

contacted this hacker bradhaccer@aol.com i think he is based in australia,helped me hack my husbands facebook account and email ,now my marriage is saved,his ex girl friend was trying to get back with him

contacted this hacker bradhaccer @aol .com i think he is based in
australia,helped me hack my husbands facebook account and email ,now my
marriage is saved,his ex girl friend was trying to get back with him .

You could have made such a huge sales pitch, if what YOU_ARE_SELLING is immune to such attacks, but noooeees that would be to easy, so you just bitch around about tools that enables people at home to test and harden their networks. The only thing that really bugs you, is that you don’t see a wooden nickle from it. You could care less about the little man’s netsec

Great journalism, not only is it by a man who’s company makes it’s money off of uninformed tech illiterate fools but this article is filled with errors. One of the most obvious being “Darren Kitchen, the guy who created WiFi Pineapple”. It takes all but a look at the wifi pineapple page itself (which I assumed you did) to know he didn’t create it.

Hi Kent – I work in online child protection and security consulting / pen testing and I have to tell you that your article is very wrong in many respects. The WiFiP has a lot of genuine uses in security and is a fantastic demo tool to teenagers regarding their security in open wifi hotspots where they lose a lot of data including credentials. Pat

Says the man making money from the vunribilites this toy exploits. If your the victim of a hack using a pineapple then you should turn your computer off and not turn it back on (ever). And if you paying this company to protect your wifi network then you need to as yourself why you are wasting your money on this when any one can configure a VPN for you.

Lawson, your an ID-10-T….. If people stop buying illegal drugs there would be no drug problem, if ID-10-T’s would quit writing crappy software, there would be no security problem, someone needs to point this stuff out and quit hiding it, obviously your company is worthless.

Your last statement completely negates your earlier, uninformed, rant. The reason this tool is useful is to inform people of the dangers of open WiFi networks. Anyone can be a fearmonger. That’s the easy route.

Your servers being the endpoint of the encryption tunnel, which means someone at your company (should they CHOOSE to do so) could compromise the information between the point it arrives at your servers, and the point at which the data is sent to its destination. You attempt to vilify Darren Kitchens teachings on the need for computer security. I can only guess that our new found security is interfering with your true goals?

I dont understand the point of this article, seems Kent is a bit jealous of the wifi pineapple and darren’s success. Since when did CEO’s show morality in general let alone within business… Darren isnt breaking any laws by selling the pineapple, and he’s not promoting malicious use of it or promoting illegal activities….

I await the article he writes when he discover’s anyone with a few hundred dollars can purchase a handgun…

“At the very least, WiFi Pineapple is a good reminder that you should
always protect your communications in wifi hotspots using a virtual
private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.”
This is what is called a sales trick, they try to scare people into paying for their VPN service :)

Not a great article. I am thinking of buying the Pineapple device to have test the security of my OWN wifi and my friends wifi devices in order that I can up their security.

That IS a legitimate use.

Your argument is parallel to saying that crowbars never have a legitimate use. However if someone is thought to be inside their house and they are in danger and unable to open the door, e.g. an attempted suicide case or some kind of medical emergency, then using a crowbar to break in to their house in order to save their life is a legitimate use of force. How you fail to see this is a bit difficult to see. An ‘imagination’ error I suppose ;-)

I am an IT (guy) and I did not buy my Wifi Pinapple for hacking at all. I bought it as an inexpecive Wifi access point that I can control every aspect of.

Considering basic access points are $120+ and most don’t have basic management funtionality I like having something that is only $90.

Just because an item can be used in one way does not make it the only way. If we all took your aproch we would all have plastic scisors and butter knives because some people kill using normal scisors and knives.

First of all the tool intercepts insecure and *secured* communications and strips out the protection (sslstrip) and it has several “legitimate” purposes, since the author is unable to imagine or unaware of using the pineapple for pen testing (legit use) or simply testing your own wireless communications (legit) it simplifies the process for the “average” user.
This is another propaganda piece aimed at telling us how bad “hackers” are and how scary everything is because you don’t understand it.

All I heard from this article was, “Don’t buy the wifi pineapple.” followed by a meager attempt at discrediting it’s use and manufacture. Judging by your article, you’re not familiar with this product whatsoever. Just to point out a few flaws in your argument, network auditing is but one of it’s many uses; but you miss the big picture. This is a tool that acts as a platform for developers to introduce new tools and uses with each update. Sure, you can create a honeypot. Did you know you can also capture ADSB and stream it to a remote server? Did you know that you can capture bluetooth packets and stream them to a tool that automatically decodes the data? What about SSL strip deployed on a busy apartment complex rooftop, with built in cellular data modem support? I’d like to see your itemized list of portable solutions that can deploy remotely and beam back via SSH for packet analyzing. This article really discredits your capability to recognize major potentials; or did you recognize it as a threat to your own business solutions? Either way, you’d be amazed if you actually used the product.

Actually now I am going to pen test your software and find a hole in it. I always do. After that I am going to post the exploit here and show you how valuable the wifi pineapple can be. As long as it is being humped over RF, it is hackable;)

Who do you think make better VPN’s than joke you mentioned as well as other privacy measures. You think they are made by some “security professionals” That is just a synonym for the term white hat hacker, and who do you think they come from. Go ahead guess and then thank those “novice hackers” for becoming the people who protect you from other, real threats unlike the pineapple. And maybe find a better way to advertise your awful VPN other than denouncing a quality product, something people like you don’t understand.

Kitchen Kaboodle sells knives ridiculously cheap and I am sure they are putting these dangerous weapons in the hands of adolescents that could use them to commit murder or assault. Yes those knives could be used to cut meats and vegetables and have other legitimate purposes but frankly since we have other tools for that, like scissors, we really have no real legitimate use to sell knives anymore.

Yes Kent, that is exactly how your argument sounds in real life. I understand that this ‘blog posting’ is really an advertisement for your company but do not assume all of your potential customers are morons. You can inform people of the dangers at hand while letting them know you have a product that can help them without villainizing a legitimate tool used for security professionals.

Oh really so it can’t be used as a regular router, wireless extender or as a 3G modem? Those all seem like legitimate uses to me. We all know how you people get off and get higher traffic with panic inducing news.

Blah!, This is some of the saddest advertising I’ve seen in a short while. The pineapple is a router with some extra software on it. The same software this guy touts the “professionals” use. Honestly lets go over a few things you can do with the WP without breaking the law.

1. use it as a router (BIG DUH! that’s what it is)
2. Enable non-Wifi devices to connect to wifi networks over ethernet (Use it an ethernet to wifi adapter)
3. Cell phone hotspot, connect a cell usb data card supported by the OS and use it as a hotspot
4. Test box for anything wifi security related, Instead of lugging around a router, the WP is much smaller then most costing about the same. Take it for lan parties (a little Capture the flag?)
5. Umm, as it was designed, a portable wifi pentest box. I use to lug around a netbook, my tablet, and phone. Now all I really need is a WP and my phone. Although some clients tend to think your not doing the job as well. But that’s because they don’t understand what’s being done in the first place.

I could probably go on, but as this article is very old, I doubt it’s getting much views now days.
Cheers from one of the “Novice Hackers” with only 20 years experience and certifications. :(